All about Cross Site Scripting (CSS / XSS) #HackerSeries

Cross Site Scripting is one of the most popular hacking methods used on the web and can be referred to as CSS (not to be confused with Cascading Style Sheets) or XSS.

XSS is only really relevant for dynamic websites – that is websites that fetch content from a database. Examples of dynamic websites would include those running on WordPress, Drupal or Joomla.

Cross Site Scripting is not dissimilar to SQL injection, in the sense that a hacker to ‘injects’ harmful scripts (including JS, VB, HTML) into a dynamic web page. The browser, interprets this as a trusted script, because after all, it seems to have come from your website. So, it executes the script on the end users machine when they unwittingly click on something that looks like a legitimate hyperlink. This can access any sensitive information that is stored in your browser (imagine how many saved passwords you have).

So to summarize:

XSS is a type of attack that is performed on vulnerable web applications and dynamic websites

The intention of an XSS attack is not to harm the website but rather the end user of the website

The harmful content is delivered to the users of the website using Javascript

How do you stop XSS?

If you run a WordPress website then you’ll be very pleased to know that stopping XSS is relatively easy. There are plenty of plugins that have been developed to combat such issues. Take a look at the Sucuri or Smart Filter Security plugins. There are some freemium aspects to the services, but if XSS is a concern, it should be addressed and paying a small sum for the right plugin, may be worth it.